[11459] in bugtraq
Re: [Re: Internet Explorer 5.0 HTML Applications]
daemon@ATHENA.MIT.EDU (McKay)
Sat Aug 21 05:51:25 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Message-Id: <19990819211904.1259.qmail@ww182.netaddress.usa.net>
Date: Thu, 19 Aug 1999 16:19:04 CDT
Reply-To: McKay <seanmckay@NETSCAPE.NET>
From: McKay <seanmckay@NETSCAPE.NET>
X-To: Steve Posick <steve.posick@ESPN.COM>, BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit
"Posick, Steve" <steve.posick@ESPN.COM> wrote:
> Solution
> Disable File Downloads or disassociate .HTA files from MSHTA.exe.
Disabling
> scripting does not stop this, we believe it is dew to the fact that the HTA
> is already on the local system at the time of execution, thus making it
> trusted.
The reason for this can be found in the MSDN. It specifically
states that HTA's, once run from the local hard drive or executed
from the Internet are considered completely trusted applications
and not under an security restrictions that IE4>= is under. In
fact, an HTA could download an arbitrary Java application and run it.
HTA's can be very dangerous if users aren't taught to not run an HTA from
the web or to let it be downloaded to a local hard drive.
McKay
____________________________________________________________________
Get your own FREE, personal Netscape WebMail account today at http://webmail.netscape.com.
